The Regulators Are Making a Point

Last month New York’s Department of Financial Services (DFS) fined Residential Mortgage Services $1.5 million for not having a compliant cybersecurity program and, even worse, not telling the regulator that they had a breach.

DFS said that RMS did not investigate the breach seriously, did not conduct a comprehensive risk assessment and did not notify the victims.

This month DFS went after National Securities Corp.

DFS says that they had four separate cybersecurity “events” between 2018 and 2020.

DFS noted that during a 2019 incident an employee’s email account was compromised and, oh, yeah, NSC had not implemented multifactor authentication, which is required by law.

In another event, a broker of the company discovered an potentially unauthorized transfer of $200,000. As the investigation continued, they discovered more unauthorized transfers. Ultimately, the company wrote a check to the client for $400,000. Even then, they did not have multifactor authentication enabled.

They did finally implement multifactor authentication in August of last year.

Out of curiosity – have you implemented multifactor authentication on all systems?

In the consent order, the regulator pointed out the obvious. You have to have MFA enabled, even for third party applications.

As the regulator dug into things, they discovered two more incidents that were not reported as promptly as possible and specifically, not within the 72 hours as required by law.

Regulated entities that do business in New York are required file an annual report with the regulator, signed by the CEO or CoB or similar person. The company claimed they were in compliance in that report, but according to DFS, because of all of these issues, they were not in compliance.

They fined National Securities $3 million and, as is typical in these cases, they said that they could not be reimbursed by insurance. They want them to feel the pain.

A summary of what happened can be found here.

Reading the consent order, one thing that the regulators seem to have focused in on is the fact that this company, like many companies, uses dozens of third party applications and many of these applications did not have multifactor authentication turned on.

In some cases, third party apps do not support multifactor authentication. In that case, you have to follow a process to assess the risk and implement alternate security measures. This process needs to be reassessed every single year. Companies have to follow this process for each application for which they cannot implement multifactor authentication.

The consent requires the company to file a comprehensive incident response plan with the department within 120 days.

They also, according to the consent order, need to submit a comprehensive cybersecurity risk assessment.

For both of these items, the consent order lists specific items these documents need to include.

They also have to provide a copy of compliant policies and procedures and documentation of all cybersecurity awareness training in the same time frame.

I am not sure if this will be a monthly event with the regulators or not, but I do think they are getting tired of businesses ignoring the laws.

While this only affects companies that do business in New York (wherever they may be located), we are also seeing noise from other states, such as California, which has just created a whole new regulatory agency. Funded, I might point out, by the fines that they issue.

Add to that the fact that Virginia’s governor just signed a bill into law that is even more comprehensive than California’s and that there are a number of other states (Florida, Texas, Washington, for example) that are likely to enact similar laws this year.

Consider what the New York regulator is doing as a “shot across the bow”. Do not expect this to go away. Also understand that the condition of not getting reimbursed by insurance is a pretty standard requirement.

To quote Dirty Harry: “Do you feel lucky”?

If not, now is the time to get busy.

Leave a Reply

Your email address will not be published.